Previous 1 2 3 Next 33 Replies Latest reply: Jan 9, 2014 1:19 PM by Andrew-ACT-ACSA
YLEECoyote Level 1 (0 points)

Just finished installing Lion.  Need to know what specific ports are required to open on a firewall to support external access for Profile Manager for provisioning IPhone/Ipad?

iPad, iOS 4.3.3
  • Tim Bloom1 Level 1 (110 points)

    Most of the items are accessible via 443 (HTTPS) for the enrollment web interface, but I also had to open port 1640 for SCEP in order to enroll any machines outside the firewall.

  • huwenphut Level 1 (10 points)

    Is this why when I try to enroll, I am getting Certificate Error?

  • Tim Bloom1 Level 1 (110 points)

    No, for that you'll need to either have a trusted SSL certificate to tun on profile signing and install the trust profile before enrolling. I hear that works, though I have a CA-signed ssl cert so I'm not 100% sure

  • hjlinde Level 1 (0 points)

    Credit to Arek Dreyer for these


    If you need to access your MDM server from the "outside world" you need the following ports, all TCP

    Web SSL: 443

    APNS: 5223

    SCEP: 1640


    Alternatively, if you don't need access from outside world to your MDM server you only need:

    APNS: 5223


    Without access to APNS, the whole profile pushing etc won't work.

  • kmarkevich Level 1 (0 points)

    Just for my clarification, please... For external access, must the Internet router have a static IP and those ports forwarded to the MDM server?


    I was also wondering where in the process the device learns the external IP of the server to contact. I understand when there's an update/lock/wipe/etc. the server contacts the APNS, the APNS tells the device to contact the server, but how does the device know the address of the server?


    Thanks for any additional info anyone can provide.

  • hjlinde Level 1 (0 points)

    To answer your second question. I'd wager that it's during the enroll of the devices, that installs a profile on the device. From there it knows where it's MDM server is. With that in place, it simply receives push notifications which tell it, "oi! go fetch at the MDM". Haven't played around too much with it, but that's my guesstimate.


    Re your first question. I'm about to actively play with it so then I'll probably know more, but in the meanwhile....


    That should help you.

  • huwenphut Level 1 (10 points)


    Finally, documentation that spells a lot of stuff out.  Worth the $4.99.




    Watch out when creating SSL certificate.  Testing the PM now.

  • huwenphut Level 1 (10 points)

    SUCCESS!  Heads up, do not try to enroll 2 devices at the same time.  Iphone worked flawless.  Ipad initially had issues (worked 2nd time).  Thanks to Jerry Miles @ Apple.

  • kmarkevich Level 1 (0 points)

    Thanks. It's a pain without proper documentation. We did get Profile Manager working, although within a closed network. It's quite slick when it works.


    However, we need to access the devices over the Internet and cell network, so was wondering what exactly is required. The Profile Manager Help doc states the MDM server must have a static Internet IP. And with those ports open I would believe. We're just looking at doing that in the most secure manner.

  • iSumi Level 1 (10 points)

    Look here:




    For Profile Manager I opened/forwared these ports:



    Port TCP 443 (https)

    Port TCP 1640 (SCEP)

    Port TCP 5223 (APNS)

    Port TCP 2195 (APNS)

    Port TCP 2196 (APNS)

  • Andrew-ACT-ACSA Level 2 (350 points)

    This is an old post but it comes up in Google searches now and it's important people don't make firewall mistakes.


    Ports 5223, 2195 and 2196 are for outbound purposes only and are only for contact with Apple's network. Firewalls should lock these down to Devices do not talk to your server on these ports. So you should not open these ports inbound to your network. Neither do you need to forward them in a NAT'd environment. Your server is the only thing which needs 2195 and 2196. The devices and the server will use 5223. They create outbound persistent connections to these. The connection to these will never be initiated inbound to devices or the server.


    Your devices do need to contact your server on 443 and 1640.

  • MattRK Level 1 (0 points)



    Are those two ports only used for enrollment or do the devices regularly communicate with server on those ports when they are outside of the network. (On 3G/4G for example) I'm just wondering if i need to open those ports if i'm doing the enrollment from within my network.



  • Andrew-ACT-ACSA Level 2 (350 points)

    They don't regularly communicate on those ports by themselves without prompting from you. Any time you save changes to the configuration profile(s), the devices will will told to go get the profile(s) by the APNS. So your devices will need to be able to access those ports any time you change the profiles. Additionally other information pulls from the devices that you might trigger will also require those ports to be open so that the devices can deliver the requested info to your server.


    Perhaps, though, if you think your profiles are settled and you won't require regularly info updates from the devices then you could close those ports until needed again. Even if you wanted to lock or remote wipe the devices outside of your network, that should still work without those ports being open. For locking or remote wiping the APNS will deliver those instructions to the device. It doesn't need to dial home first in those cases.

  • iPad786 Level 1 (0 points)

    Hi All

    I have configured MDM with Mountain Lion , Server Tools 2.2.1 , worked fine with iOS device (checked with iPad) worked fine.

    But when I push to OSX devices, it stuck , ... lot of search on Google and found some threads that people had the same issues.




    The solution was to open following ports:

    o use Profile Manager, you should ensure that the following ports are open on your network.


    2195, 2196TCPUsed by Profile Manager to send push notifications
    5223TCPUsed to maintain a persistent connection to APNs and receive push notifications
    80/443TCPProvides access to the web interface for Profile Manager admin
    1640TCPEnrollment access to the Certificate Authority


    But when I tried to open the ports (tried both text based and with ICE Flor)
    sudo ipfw add 27860 allow tcp from any to any dst-port 2196
    sudo ipfw add 27860 allow tcp from any to any dst-port 2195
    add 78600 allow tcp from any to any dst-port 5223

    When I use sudo lsof -i -P | grep -i "listen" , it didnot show me if the ports are open.

Previous 1 2 3 Next